08 Audit Sampling to Test of Controls[CompatibilityMode]

Chapter 8 Chapter 8 Audit Sampling: An Overview and Application to Tests of Controls McGraw-Hill/Irwin Copyright © 2008 by The McGraw-Hill Companies, Inc. All rights reserved. Introduction Auditing standards recognize and permit both statistical Auditing standards recognize and permit both statistical and nonstatistical methods of audit sampling. and nonstatistical methods of audit sampling. Two technological advances have reduced the number

of times auditors need to apply sampling techniques to pp y p g q gather audit evidence:

2 Development of Advent of powerful well-controlled, PC audit software to automated download and accounting examine client systems. data _8-2

Introduction

However, technology will never eliminate the need for auditors to rely on sampling to some degree because:

1. Many control processes require human involvement.

2 Many testing procedures require the auditor to physically examine an asset.

2. Many testing procedures require the auditor to

3. In many cases auditors are required to obtain and examine evidence from third parties.

Definitions and Key Concepts

On the following screens we will define: On the following screens we will define:

1. Sampling Risk

1.Sampling Risk

2 Confidence Le el Confidence Level 3.

2 Confidence Le el

2.Confidence Level 2.

3.Tolerable and Expected Error Tolerable and Expected Error

4. Audit Sampling _8-4 LO# 1

4.Audit Sampling

Audit Sampling

Audit sampling is the application of an Audit sampling is the application of an audit procedure to less than 100 percent audit procedure to less than 100 percent of the items within an account balance or of the items within an account balance or class of transactions for the purpose of class of transactions for the purpose of evaluating some characteristic of the evaluating some characteristic of the balance or class. balance or class. 8-5 LO# 2

Sampling Risk Sampling risk is the element of uncertainty that enters into the auditor’s conclusions anytime sampling is used. There are two types of sampling risk.

Risk of incorrect rejection Risk of incorrect rejection (Type I) (Type I) – in a test of internal – in a test of internal controls, it is the risk that the sample supports a conclusion that the control is not operating effectively when, in fact, it is operating effectively.

Risk of incorrect acceptance (Type II) – in a test of internal controls, it is the risk that the sample supports a conclusion that the control is operating effectively when, in fact, it is not operating effectively.

LO# 2 Sampling Risk

Three Important Factors in Determining Sample Size

1. The desired level of assurance in the results (or confidence level), (or confidence level),

1.The desired level of assurance in the results

2. Acceptable defect rate (or tolerable error), and 3. The historical defect rate (or estimated error).

2.Acceptable defect rate (or tolerable error), and

3.The historical defect rate (or estimated error). 8-7 LO# 2 Confidence Level

Confidence level is the complement of sampling risk.

The auditor may set The auditor may set sampling risk for a sampling risk for a li li i k f i k f particular sampling particular sampling application at application at

5 percent 5 percent 5 percent 5 percent , which , which results in a results in a confidence level of confidence level of

95 percent 95 percent 95 percent 95 percent . . _8-8 LO# 2

Tolerable and Expected Error Once the desired confidence level is established, the sample size is determine largely by how much the tolerable error exceeds expected error.

Precision Precision Precision Precision , at the , at the at the at the planning stage of planning stage of

Auditing Standards audit sampling, is audit sampling, is refer to Precision the difference the difference as the “Allowance for between the between the sampling risk” expected and expected and tolerable deviation tolerable deviation rates. rates.

LO# 3 Audit Evidence – To Sample or Not?

Relationship between Evidence Types and Audit Sampling Audit Sampling Type of Evidence Commonly Used Inspection of tangible assets Yes Inspection of records or documents Yes Reperformance Yes Recalculation Yes Confirmation Yes Analytical procedures No Scanning No Inquiry No Observation No _8-10 LO# 3

Audit Evidence – To Sample or Not?

Inspection of tangible assets . Auditors typically attend

the client’s year-end inventory count. When there are a large number of items in inventory, the auditor will select a sample to physically inspect and count.

Inspection of records or documents . Certain controls

may require the matching of documents. The procedure may take place many times a day. The auditor may gather evidence on the effectiveness of the control by testing a sample of the document packages. _8-11

LO# 3 Audit Evidence – To Sample or Not?

Reperformance. To comply with rule 404 of the

Sarbanes-Oxley Act, publicly traded clients must document and test controls over important assertions for significant accounts. The auditor may reperform a sample of the tests performed by the client. f d b th li t

Confirmation. Rather than confirm all customer account

receivable balances, the auditor may select a sample of customers.

Testing All Items with a Particular Characteristic When an account or class of transactions is made up of a few large items , the auditor may examine all the items in the account or class of transaction. When a small number of large transactions make up ^{LO# 3}

8-13 a relatively large percent of an account or class of transactions, auditors will typically test all the transactions greater than a particular dollar amount.

Testing Only One or a Few Items

Highly automated information systems Highly automated information systems process transactions consistently unless the process transactions consistently unless the system or programs are changed. system or programs are changed

Th dit t t th Th dit t t th ^{LO# 3}

8-14

The auditor may test the The auditor may test the general controls over the general controls over the system and any program system and any program changes, but test only a few changes, but test only a few transactions processed by transactions processed by the IT system. the IT system.

Types of Audit Sampling and nonstatistical methods of audit sampling. and nonstatistical methods of audit sampling.

In nonstatistical (or In nonstatistical (or judgmental) sampling, the judgmental) sampling, the Statistical sampling uses Statistical sampling uses the laws of probability to the laws of probability to ^{LO# 4} j g ) p g j g ) p g auditor does not use auditor does not use statistical techniques to statistical techniques to determine sample size, determine sample size, select the sample items, select the sample items, or measure sampling risk. or measure sampling risk. p y p y compute sample size and compute sample size and evaluate results. The evaluate results. The auditor is able to use the auditor is able to use the most efficient sample size most efficient sample size and quantify sampling risk. and quantify sampling risk.

Types of Audit Sampling

Attribute Sampling Used to estimate the proportion of a population that possess a specified characteristic. The most common use of attribute sampling is for tests of controls. ^{LO# 4}

2.Monetary-Unit Sampling. ^{LO# 4} 8-17 3.Classical Variables Sampling.

Statistical Sampling Techniques 1.Attribute Sampling.

3. Lack of consistent application Lack of consistent application across audit teams. across audit teams.

2. Time to design and conduct Time to design and conduct sampling application. sampling application.

1. Training auditors in proper use. Training auditors in proper use.

Advantages of statistical sampling Advantages of statistical sampling 1.

Disadvantages of statistical sampling Disadvantages of statistical sampling 1.

3. Quantify sampling risk. Quantify sampling risk.

3. Quantify sampling risk. Quantify sampling risk. ^{LO# 4} 8-16 3.

2. Measure the sufficiency of Measure the sufficiency of evidence obtained. evidence obtained.

1. Design an efficient sample. Design an efficient sample.

Our client’s controls require that all checks have two independent signatures. Yes, I know. We are planning a test of that control using attribute sampling. Monetary-Unit Sampling Monetary-unit sampling uses attribute sampling theory to estimate the dollar amount of misstatement for a class of transactions or an account balance. ^{LO# 4}

8-19 This technique is used extensively because it has a number of advantages over classical variables sampling.

Classical Variables Sampling Auditors sometimes use variables sampling to estimate the dollar value of a class of transactions or account balance. It is more frequently used to determine whether an account is materially misstated. ^{LO# 4}

8-20 Attribute Sampling Applied to Tests of Controls

In conducting a statistical sample for a test of controls auditing standards require the auditor to properly plan , perform , and evaluate the sampling application and to ^LO# ^{5, 6, & 7} evaluate the sampling application and to adequately document each phase of the sampling application.

Plan Plan Perform Perform Evaluate Evaluate Document Document

_{5, 6, & 7} LO# Planning

Planning 1. Determine the test objectives.

2. Define the population characteristics. • Define the sampling population. • Define the sampling unit. • Define the control deviation conditions.

3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. Th d i d fid l l i k f i t t • The tolerable deviation rate. • The expected population deviation rate.

The objective of attribute sampling when used for tests of controls is to evaluate the operating effectiveness of the internal control. _8-22 _{5, 6, & 7} LO#

Planning Planning 2. Define the population characteristics. • Define the sampling population. • Define the sampling unit. • Define the control deviation conditions.

3. Determine the sample size, using the following inputs: The desired confidence level or risk of incorrect acceptance. • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate.

All or a subset of the items that constitute the class of transactions make up the sampling population. _8-23 _{5, 6, & 7} LO#

Planning Planning • Define the sampling population. • Define the sampling unit. • Define the control deviation conditions.

Each sampling unit makes up one item in the population. The sampling unit should be defined in relation to the specific control being tested.

_{5, 6, & 7} LO# Planning

Planning 2. Define the population characteristics. • Define the sampling population. • Define the sampling unit. • Define the control deviation conditions.

A deviation is a departure from adequate performance of the internal control. _8-25 _{5, 6, & 7} LO#

Planning Planning

3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate.

The confidence level is the desired level of assurance that the sample results will support a conclusion that the control is functioning effectively. Generally, when the auditor has decided to rely on controls, the confidence level is set at 90% or 95%. The means the auditor is willing to accept a 10% or 5% risk of accepting the control as effective when it is not. _8-26 _{5, 6, & 7} LO#

Planning Planning • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate.

Th t l The tolerable deviation rate is the maximum bl d i ti t i th i deviation rate from a prescribed control that the auditor is willing to accept and still consider the control effective.

_{5, 6, & 7} LO# Planning

Planning

Suggested Tolerable Deviation Rates Suggested Tolerable Deviation Rates for Assessed Levels of Control Risk

Tolerable Planned Assessed Level Deviation of Control Risk Rate Low 3–5% Moderate 6–10% Slightly below maximum 11–20% Maximum Omit test _8-28 _{5, 6, & 7} LO# Planning

Planning

The expected population deviation The expected population deviation

rate is the rate the auditor expects to

exist in the population. The larger the expected population deviation rate, the larger the sample size must be, all else equal. _8-29 _{5, 6, & 7} LO#

Planning Planning

Assume a desired confidence level of 95%, and a large population, the effect of 95%, and a large population, the effect of the expected population deviation rate on sample size is shown below: _{Expected Population Sample} _{Deviation Rate Size} _{3.0% ‡} _{2.0% 181} _{1.5% 124} _1.0% ₉₃ ‡ Sam ple size too large to be cost-effective.

_{5, 6, & 7} LO# Population Size: Attributes Sampling

Population size is not an important factor in determining sample size for attributes sampling. The population size has little or no effect on the sample size, unless the _{Tolerable deviation rate Inverse} _{Desired confidence level Direct} _{Factor Sample Size Factor Sample} population is relatively small, say less than 500 items. _{Relationship to Change in Effect on} _{Higher Decrease} _{Lower Increase} _{Higher Increase} _{Lower Decrease} _Examples _{Population size} _{Expected population deviation rate Direct} _{Decreases sample size only when population} _{is small (fewer than 500 items)} Lower Decrease _{Higher Increase} _8-31 _{5, 6, & 7} LO#

Performance Performance and Evaluation 4. Select sample items. • Random-Number Selection. • Systematic Selection.

5. Perform the Audit Procedures. • Voided documents. • Unused or inapplicable documents • Inability to examine a sample item. • Stopping the test before completion.